The GDPR will come into force exactly four months from Thursday. In preparation, the European Commission has released a new website with extensive guidance on GDPR implementation, together with a Fact Sheet containing Q&As on the GDPR. While much of the guidance is already known to privacy professionals, there are new insights as well.
For example, the Commission posted a Communication explaining that it has convened an “Expert Group” (which has already met 13 times) to assist Member States in GDPR implementation. The Communication also describes the “infringement procedure,” which would be implicated should a Member State fail to properly implement the GDPR. Further, the Commission reported that it is considering updating Convention 108, the only legally binding multilateral instrument in the area of personal data protection. The new language would reflect that of the GDPR to universally reconcile data protection principles.
The Commission also released a “Next steps” document, which clearly sets out actions to be taken by the European Commission toward Member States, data protection authorities (“DPAs”), and citizens and businesses/organizations processing data through the year 2020. These steps include monitoring GDPR application, liaising with stakeholders to gather their feedback on GDPR implementation and awareness, and co-financing awareness-raising actions of DPAs. The document also indicates that the Commission plans to issue a report on the application of the new rules in 2020.
While it is widely understood that the GDPR will be a work in progress for all parties, the Commission has expressed concern regarding newer Member States and small- to medium-sized businesses. Of particular concern is that not all 28 EU Member States will have had similar GDPR experience and preparation. However, the Commission has taken steps to combat the imbalance. The Commission has designated 1.7 million euros to fund DPAs and to train data protection professionals. It designated an additional two million euros for Member State-level information campaigns for smaller businesses. It has also planned targeted outreach to small and medium-sized businesses in Member States where there is a larger-scale lack of awareness on GDPR. The Commission is already planning to organize a one-year-anniversary gathering with subject matter experts, politicians, DPAs, and other stakeholders to evaluate their experiences with implementing the GDPR.
The Commission clearly recognizes that there is a lot to be done in the next four months before the GDPR comes into play. However, it has made clear that the GDPR will be taken seriously and Member States would be wise to carry out GDPR implementation swiftly and properly.
For more information: